Thousands of compromised Apache servers direct users to malware

What do the recent compromises of a number of LA Times websites and the blog of hard disk drive manufacturer Seagate have in common?

According to several security researchers, all these sites are hosted on servers running Apache web server software, and have been compromised and equipped with module that is able to insert and rotate malicious iFrames on all pages of websites hosted on these servers.

The iFrames in question usually redirect users to website hosting exploit kits (mostly Blackhole) and they often end up with malware on their computers.

The information security community has know about Darkleech (as the malicious module is dubbed) for a while now. The first attacks using it have been spotted in August last year by the writers of the Unmask Parasites blog, and the module has been offered for sale on underground online markets for months.

The thing that makes this malware special is that it behaves in a way that makes it difficult for security researchers to track down compromised sites. The injected iFrames are generated on the fly as visitors land on the sites, and not all visitors will trigger the injection.

According to information shared with Ars Technica’s Dan Goodin, those coming from IP addresses belonging to security companies and hosting firms as well as those who have been recently attacked already or come to the sites via search queries that have been specified, will not be targeted and affected, i.e. they will land on the non-modified pages.

This same reason is why it is difficult to find these sites via standard Google searches.

Another great problem for the researchers is that they can’t figure out how the attackers gain access and control over the servers in order to deploy the malicious module. It could be anything from software vulnerabilities (known and unknown), social engineering attacks or password cracking.

According to Mary Landesman, senior security researcher for Cisco Systems, who has analyzed a sample of 1,239 compromised websites during six weeks earlier this year, all are hosted on servers running Apache version 2.2.22 or higher on different Linux distributions.

At the same time, she detected almost 2,000 affected web host servers in total. If the average number of sites hosted by one web server is 10, it means that some 20,000 websites (and all their respective web pages) were compromised.

Purging the servers of the offending module is difficult, the researchers say, and the best course of action would be to shut them down, wipe them completely, then restore them from back up, and make sure to change all server credentials. And that still does not guarantee that the attackers have not left behind a backdoor to allow them back in again.